Blog:

Evernote’s Action Plan for Privacy

Posted by Chris O'Neill on 19 Dec 2016

Posted by Chris O'Neill on 19 Dec 2016

Dear Evernote Community:

Good businesses are built on trust and collaboration — not only within their own walls, but also between the people who build a product and the people who rely upon it. You place billions of your most important thoughts and ideas in Evernote; we must honor that trust by ensuring they remain private and confidential.

Last week we announced changes to our privacy policy that fell short of your expectations of Evernote. Many of you spoke up, and I’ve spent the last few days listening to the concerns you’ve raised. In addition to withdrawing the changes we previously announced, we will be doing the following to meet—and, hopefully, exceed—your expectations in the future:

First, I’ve reviewed our internal controls and processes with our technical, security, and legal teams. While I’m confident that our existing controls provide a level of security comparable with other cloud providers, it has become clear to me that parity is not enough. Our goal should be to lead the thinking in this area, as new technologies continually challenge society’s understanding and expectations of what privacy is and should be. As a first step, we have heightened our already strict controls on employee access levels across the company and, starting today, I will be managing this process personally. In addition, we are reviewing options to give users more control over the security of their own notes.

Second, I have reached out to data and privacy experts around the world and intend to seek their ongoing guidance around privacy and emerging technologies. I have spoken with John Verdi at the Future of Privacy Forum (FPF), and we will partner with FPF as we define our future approach to privacy. You will see a new policy from us early in 2017. In addition, our leading privacy expert (and VP of Legal) Emily Hancock has been a co-chair of the Enterprise Cloud Privacy Group for the past two years. I’ve asked her to work directly with ECPG and other similar industry organizations in advising us on privacy matters going forward, and to expand the groups she works with.

Finally, I’ve asked Josh Zerkel, our Director of Community, to establish a new Evernote Customer and Community Advisory Board that will meet quarterly. This group will provide a systematic way to inject customer feedback into major decisions. The first of these panels will meet in February in San Francisco.

The past few days have been deeply humbling for us, but I believe these steps will put us in the forefront of cloud privacy thinking. My promise to you is simple: collaboration and trust. You deserve nothing less.

If at any point you feel we aren’t listening, please don’t hesitate to contact me personally via Twitter (@croneill) or email (ceochris@evernote.com) with your concerns. I thank the many of you who did so in the past week.

Bravo! Refreshing to see a company that listens to its customers. Looking forward to more info on #2 and #3 above in 2017.

DavidM—

I appreciate the attempt being made to not only mitigate against the fears of users but also to start listening to users. Bravo!

Chris—

So, basically you want us to trust your Great CEO Chris O’ Neill and you guys will be consulting privacy experts. This is your action plan? Jack up your price even more and continue launching your great machine learning plan that no one has asked for.

Ryan Mercer—

Even though I didn’t care about the stuff last week, good on you for listening to the customers of yours that did freak out. Good companies adept to meet the needs and concerns of their customers and you appear to be doing just that!

Hans—

Happy to see that you are listening to your customers feedback!

Please, also add encryption of full accounts/notebooks as an option.

APC—

+1 for full account / notebook encryption, where I hold the key.

Alexei Tetenov—

I’m for encryption of data in transit, to reduce the ability of people to see my data in transit, but if notes are encrypted, won’t that prevent these encrypted notes from being searchable? Doesn’t Evernote search your un-encrypted notes to generate a list of synonyms for each note, and encrypting the note, would prevent this?

My recommendation is that you use a password manager for encrypted notes. Or better yet, don’t put those notes in a computer that connects to a network.

ACJACC—

+1. The way to User Trust, Security and Privacy is the option for CLIENT-SIDE ENCRYPTION of full account or at least of notebooks (and not just text inside one note).

mystrangeworld—

Dear Mr O’Neill,

thank you for again showing that EN is caring about its stakeholders.

Best,

Tom—

Much better response than “we apologize for the poor communication”. I guess you realized that it wasn’t the communication that was poor. Thanks for this update.

M. Hunt—

Cloud companies always seem to grasp for increased user data first and ask for it later.

I appreciate your taking steps to address user concerns here.

I am resisting the inclination to attribute it to PR and crisis management concerns, rather than to a real ‘come to Jesus’ moment on user privacy. Time will tell if I am right to do so, I suppose.

Imran—

I think one thing that could work is an option for complete encryption of all notes – you can bury the option behind a bunch of settings/confirmation boxes to ensure that people don’t accidentally turn it on risk forgetting their password, but OPTION for full end to end encryption could be a good step to “win” hearts and minds.

John MacPherson Allan—

Nice response Chris Evernote is a great product!!

Doug Turner—

“But we still won’t listen to users who want just simple functions available on multiple devices. You must have all the bells and whistles, but you you can only have it on 2 devices.”

ChristianKl—

You can use Evernote for more than two devices. You just need to get a payed account. Given that Evernote is supposed to make it’s money with selling it’s software to users and not with selling user data to third parties there’s nothing wrong with limiting the features of the free version.

Chris Traganos—

Thanks for sharing Chris, this is a great follow up

MM—

This response and change of direction is exactly what Evernote needs and gives me faith in the Company and its direction. I wouldn’t follow that trajectory (or, frankly, care so much), if I didn’t think EN was the best solution for many of my information and organization challenges. When we consumers cried out for more note privacy and security features, the answer from EN has always been, “use local notebooks.” That response ignores those of us who (1) create on our mobile devices, and (2) use EN because it frees us from our desktop Macs and PCs. On the other side of the spectrum are those (including many who have replied to this news posting) who would encrypt all notes. It seems to me the answer is to transition from select, local notebooks to select, encrypted notebooks, with the remainder of notebooks available for machine processing and advanced search features. Please accept my vote for that compromise solution.

ChristianKl—

The article http://mobileecosystemforum.com/2016/08/30/understanding-data-protection-becoming-a-mobile-privacy-pro/ has an intersting quote:
“With a broad raft of evolving legal requirements to meet, implementing practical steps for the handling of consumer’s personal data can seem a daunting prospect. ”

Legal privacy requirements shouldn’t be a huge issue if a company would truly care about privacy. It’s about going well beyond what’s legally required.

NAG Projects—

Glad that the customers feedback is taken very seriously. Good job.
Visit: NAG-PROJECTS

Romai Lamounier—

That’s show us (customers) how serious the Evernote want improve it’s app and get closer with users. Cleary it will be a gain gain situation and a winner behavior.

Matthew Nunney—

Thank you for taking the comments seriously, many companies would not listen to consumer feedback. When I read the comments initially I started searching for another platform as evernote is currently my trusted repository. I will halt that search now.

Patrick—

A good start to earn back trust, respect. But now, if you honestly want to add privacy for your users, then essentially do one thing: add full client-side encryption for whole notebooks.

CR—

Thanks Evernote. You are my favorite program, and I was about to delete… I’d love to share more opinions on how I think software could better serve me and not have machines try to figure me out. Your users are a bunch of smart people- maybe we can give more suggestions in how to improve our workflow?